Domain hijacking and the comeback of Pingtimeout.fr

For almost a year now, http://pingtimeout.fr was down. Today, it is back in a new service provider, with the now irrelevant articles removed. This effort was an opportunity to discover a "by-design" security weakness at Github Pages. Time for some feedback.

Old hosting plan at Blogger

Historically, since 2013, this blog was 100% hosted at Blogger.com. I simply created a transparent redirection of the domain pingtimeout.fr to the blog

But as time passed, I started disliking the user experience, especially when it came to publishing content. I had to write my articles locally in Markdown, to always have a local backup. Then the content was transformed to HTML fragments that I copied/pasted in Blogger’s interface. Finally, I had some style tweaks to apply because it never looked right immediately.

It had to change

Several years ago, I became fond of Asciidoc and Asciidoctor. I do not write any Markdown content anymore, unless there is really no other alternative. And therefore I wanted to use that format for my blog articles. After some research, I decided to use Github Pages

Initial architecture at Github Pages

The main idea was to use Github Pages to host the site itself, and to deal with every linked topic (CDN, HTTPS, …​). But I already ran into an issue: Github Pages does not support the Asciidoc syntax. I had to use Jekyll and the Jekyll-Asciidoc module.

Except that this module is not supported by Github Pages either. The only way to work around this limitation was to leverage a third-party build system. In my case, Travis-CI.

The resulting architecture is relatively complex for a simple blog. But at least the required features are there:

  • Articles were written in asciidoc

  • They are published on a Github repository

  • A third-party build system generate the blog pages and publishes them on Github Pages

  • The DNS for pingtimeout.fr is configured to redirect to pingtimeout.github.io

Initial Github Pages architecture with Asciidoc

Problem: the DNS redirection

The thing is, it dod not really work as expected. I configured the DNS of pingtimeout.fr so that both domains pingtimeout.fr and www.pingtimeout.fr were redirected to Github Pages. I wanted the blog to be reachable using both http://pingtimeout.fr and http://www.pingtimeout.fr.

And that is impossible with Github Pages.

In order for a DNS redirection to work, a CNAME file must exist in the Github Pages repository. That file must contain the redirected domain name. It can contain only one entry.

In other words, I had to accept that one of the two URLs would never work. Being a web hosting noob, and being also busy with many other things back then, I stopped working on that topic for a while.

Le hijacking

Recently, I started working again on the problem. I ran a lot of trials with many different configurations. And I noticed that, no matter what, the redirection from http://pingtimeout.fr to Github Pages never worked. It always redirected to a 404 Github page saying that no Github Pages could be found for this URL.

Error 404 from Github

And every time I rebuilt the website, I received this alert from Github:

The page build completed successfully, but returned the following warning for the master branch:

The CNAME pingtimeout.fr is already taken. Check out https://help.github.com/articles/troubleshooting-custom-domains/#cname-already-taken for more information.

For information on troubleshooting Jekyll see:

If you have any questions you can contact us by replying to this email.

After lots of research, I came to the conclusion that everything was in order on my side. The problem came from somewhere else, most likely Github. And I found this article in which the author explains how his domain was hijacked. I followed the same steps he did and ran a global Github search with the term pingtimeout.fr. And just like him, I found a matching repository.

Github search for the domain

It seems that this person found that one of the two DNS redirections was not properly configured. And they therefore attempted to created a Github repository to gain control of the content.

The Github documentation is clear about this. When a domain is entered in the CNAME file, is that domain is already used, the modification is refused. In other words, first come, first served. I sent several e-mails to Github support but never got any answer. The procedure to claim a hijacked domain does not seem to exist.

As @jehy says, it is very likely that bots are running all the time. Their goal is to identify poorly configured Github Pages redirections. Once they find one, they create a Github Pages website to hold the redirection. Or to inject some arbitrary and/or fraudulent content. Judging by the number of repositories that this user has, the bots must work pretty well.

Repositories list hijacking redirections

Fortunately, I was always in control of the pingtimeout.fr domain. I could therefore definitively kill the Github Pages redirection and take back the control of my site.

The 100% private simplified solution

Overall, this experience was very enlightening for me and allowed be to learn a lot of things.

I decided to completely delete my Github Pages website and to go back to a fully hosted solution at OVH. Github Pages offering is interesting, but it is not well suited to slightly complex use cases.

In my particular case, I wanted to:

  • Use both my APEX and www. domains to reach my blog

  • Redirect automatically all http traffic to https

  • Have an Asciidoc based workflow

The OVH documentation was very useful for me. In 2013, I had not subscribed to a hosting plan, I just bought the domain name with OVH. And I did put a lot of mess in my DNS zone. Once I had the hosting plan, I could easily clean up the DNS zone and get everything back on track.

All in all, I also simplified the workblog by replacing Jekyll by Hugo. Given that all the content was already in Asciidoc, the migration was very straightforward.


If you have any question/comment, feel free to send me a tweet at @pingtimeout. And if you enjoyed this article and want to support my work, you can always buy me a coffee ☕️.